High Sierra Policy

- Since macOS 10.13.2, and the introduction of UAMDM (https://support.apple.com/en-gb/HT208488) Jamf changed the way a macOS device is being enrolled to get a similar experience that we do with iOS.
Before we used to push a Quickadd Package, containing the Jamf Binary, that got installed first, then the CA certificate if applicable and the MDM profile. Now we push first the CA certificate if applicable, then the MDM profile. Once both pushed, the binary is sent to the device with an InstallApplication command like any other MDM command. This operation can take a couple of minutes to be executed due to the MDM command queuing that could occur. This can delay the Enrollment complete trigger since the binary could not be installed.
- So in order to avoid this possible instability with enrollment complete trigger with DEP, we would recommend to lean on the Next Checkin / Once per computer trigger / frequency combinaison.
- Some of the advanced configuration would consider to create a custom trigger to distribute all our Setup policies (quite often also listed as numbers ranked by 10) called with 1 policy that would trigger this execution.
Example : we would create a custom trigger (called setup), and all our setup policies would use this trigger. We would organise them with numerical-alphabetical order. Then we would create a policy that would be executed on Next Checkin / Once per computer and would call for all policies triggered by the event 'setup'. We would execute this using Files and Processes payload and executing the command 'policy -event setup'
That's just an example of course and you're free to be as creative as you wish.
I hope that gives you a bit of context and will help you to succeed in your management of MacOS devices.

I wanted also to add some insights from other cases that we had in the past :
"This is possible to grant a SecureToken without any user interactions with script although please note that it does require the script to have the username and password for both the administrator account with a SecureToken already AND the mobile account we are targeting. This is an example of the command we would use:

This works because we are providing the credentials for both accounts inside the command, removing the need for any user interaction. Afterwards we'll see that the mobile account has a SecureToken and can be used to unlock the disk.

Note: That this script may only work successfully on later versions of macOS 10.13. Earlier versions of the OS required the 'interactive' flag which caused the user to be prompted for credentials. I've successfully tested this today on macOS 10.13.6."